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^r: — A TnQthe d'""Ol necworfc ^urvQillanco^ — compr^ 
receiving network packets handled by a netwoj 

entity; 

building at least one long-term and at l^st one 
short-term statistical profile from at least erne measure of 
the network packets, the at least one measu^ monitoring 
data transfers, errors, or network connections; 

comparing at least one long-tert/ and at least one 
short-term statistical profile; and 

determining whether the difference between the 
short-term statistical profile and the long-term statistical 
profile indicates suspicious n^work activity. 



1 2. The method of olaim 1, wherein the measure 

2 monitors data transE^rs Ky monitoring network packet data 

3 transfer commands. 



1 3 , The melTfioc 

2 monitors data trq^hsfea 

3 transfer errors/ 



or claim 1, wherein the measure 
by monitoring network packet data 
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4. "Jhe method of claim 1, wherein the measure 
monitors da^a transfers by monitoring network packet data 
transfer volume . 



The method of claim 1, wherein the measure 

2 monitor© network connections by monitoring network 

3 conneocioH-. requests . 

1 / 6. The method of claim 1, wherein the measure 

2 mpnitors network connections by monitoring network 

3 Ar*rvni^ t Ji^ri H ja j^-jaJL a, 
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1 C?<---'¥hs>-JQa£ja^^ 17 whei^lii Llie - mt 

2 monitors network connections by monitoring a correaTation of 

3 network connections requests and network connect/Lon denials. 



1 8. The method of claim 1, wherein tke measure 

2 monitors errors by monitoring error codes /included in a 

3 network packet. 



1 9. The method of claim 8, 

2 comprises a privilege error code. 



irein an error code 



1 10. The method of claim 8, wherein an error code 

2 comprises an error code indicating a reason a packet was 

3 rejected. 



1 11. The meth 

2 responding based on t 

3 between the short -te 

4 statistical profile mc 



f claim 1, further comprising 

ermining whether the difference 
stktistical profile and the long-term 
cates suspicious network activity. 



1 "T.^. The/method of claim 11, wherein responding 

2 comprises transmitting an event record to a network monitor. 

13. /The method of claim 12, wherein transmitting 
the event ytecord to a network monitor comprises transmitting 
the even/ record to a hierarchically higher network monitor. 



1 / 14^^^ The method of claim 13, wherein transmitting 

2 the event record to a network monitor comprises transmitting 

3 the^ event record to a network monitor that receives event 

4 ^ JDldS" rit:H ^k ,multl »p^e"-TreL w uJL'k moiil ir ur ^j . — ^ 
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1 ^rS"! g h e- mcrtdiud u£ L!rd.ntt 14, Wl T O i-ci n ti \Q^ 

2 that receives event records from multiple network moj;rt.tors 

3 comprises a network monitor that correlates activafty in the 

4 multiple network monitors based on the received/event 

5 records , 

1 16, The method of claim 11, whea^ein responding 

2 comprises altering analysis of the net/work packets. 

1 17. The method of claim 11/f wherein responding 

2 comprises severing a communicatiem channel. 



rn 



1 18. The method of cl/im 1, wherein the network 

2 packets comprise TCP/IP packets, 



1 19. The met\ 

2 entity comprises a ge 



claim 1, wherein the network 
a router, or a proxy server. 



1 20, The me' 

2 entity comprises 



,of claim 1, wherein the network 
Lvate network entity. 



virtual pri 



J 



1 21. A method of network surveillance, comprising: 

2 monit^j^-ing network packets handled by a network 

3 entity; 

4 bui/lding a long-term and multiple short-term 

5 statistical profiles of the network packets; 

6 (Comparing one of the multiple short-term statistical 

7 profiles with the long-term statistical profile; and 

8 / determining whether the difference between the one 

9 of t^e multiple short-term statistical profiles and the 

10 lo;?!g-term statistical profile indicates suspicious network 
11 
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1 — Ttie- meLliud ul cled r in 21; - wh ui elu L'l iU UmlLluj 

2 short-term statistical profiles comprise profiles 

3 monitor different anonymous FTP sessions. 



1 23. The method of claim 21, where in/building 

2 multiple short-term statistical prof iles y<x)mprises 

3 deinterleaving packets to identify a ^Kort-term statistical 

4 profile. 
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24. A computer program/product, disposed on a 
computer readable medium, th^ product including instructions 
for causing a processor toj 

receive network packets handled by a network entity; 
buil^i at least dne long-term and at least one short- 
term statjLsdi'bal profifle from at least one measure of the 
network packets ^\the^ measure monitoring data transfers, 
errors, or ne\work/\x?nnections ; 

comparexatr le^t one short-term and at least one 
long-term statistical pipfile; and 

-determijneNvhether the difference between the short- 
term statisti^fal prt^file and the long-term statistical 
profile indicates suspicious network activity. 

25/ A method of network surveillance, comprising: 
re^ceiving packets at a virtual private network 
entity; yand 

building at least one long-term and at least one 
short /terrtv statistical profile based on the received 
pack/ts, and 

comparing at least one long-term statistical profile 
wljth at least one short-term statistical profile to 
Jfetermine whether the packets indicate suspicious network 
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2 decrypting the packets wbef ore stgJti^rtTTcally analyzing the 

3 packets. 



27 . I*r^ method/ of claim 25, further comprising not 
tg the packets before statistically analyzing the 
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